ADR-0010 — AI opt-out per customer
- Status: Accepted
- Date: 2026-04-25
- Decision-makers: Tom Anderson
Context
Helm's AI Support bubble sends a grounding payload to Claude on each query. By default, when an operator is on a customer's screen and asks a question, that customer's identifying data (name, email, phone, recent transactions) is included.
For most operators and most customers this is fine — it's how the AI gives useful answers about that customer. But some customers will (reasonably) not want their identifying data sent to a third-party LLM, even with Anthropic's no-training guarantee.
Two patterns considered:
- Opt-in: AI is off by default for each customer; the shop opts each customer in. Reduces utility for everyone by default; the shop has to manually enable for most customers.
- Opt-out: AI is on by default; each customer can opt out via a toggle. Most customers don't care and get the better experience; those who do care have an explicit control.
Opt-out is the standard pattern for similar data-use questions (marketing emails, etc.) where the use is low-risk and beneficial-by-default.
Decision
Implement per-customer AI opt-out:
customers.ai_optoutcolumn, default 0 (AI grounding allowed)- A toggle on the customer profile, surfaced as one of the marketing-pill toggles
- When
ai_optout = 1:- The structured grounding payload skips the customer's name, email, phone, address, dob
- Aggregate references ("the customer", "this customer") are allowed but no identifying fields
- The AI conversation is logged with
customer_id = NULLso future indexed queries can't tie the chat to the customer
- Changes to this flag are audit-logged
- Visible to operators on the customer profile as a "AI: opted out" badge when set
The shop's privacy policy should mention this control. Helm provides default copy.
Consequences
Positive:
- Customers get a meaningful, exercisable control
- Aligns with data ownership and privacy
- Operators can still ask AI questions about an opted-out customer; the AI just doesn't see the identifying data
- The opt-out is per-customer, not per-shop — granular
Negative:
- AI answers for opted-out customers are less specific (no name, no email)
- The shop's AI usage costs are unchanged; opt-out doesn't reduce the spend
- Some operator workflows ("draft a follow-up email to this customer") don't work for opted-out customers
Mitigations:
- The UI explains the trade-off when the operator hovers the opt-out badge
- For opted-out customers, the UI gracefully degrades — "AI can help with general questions about this customer's record" with reduced specificity
Notes
This decision sits in the small intersection of "product feature" and "compliance posture." We err on the side of giving the customer control even at the cost of operator convenience, because the alternative (opted-in by default with no opt-out) is the pattern that's eroding trust in AI products generally.